---

Hej,
Jeg kører w2000.
I mappen c:\winnt\system32 ligger der en mistænkelig fil - winx16.exe
Jeg blev opmærksom på den fordi der begyndte at være trafik på min adsl selvom ingen programmer var kørende.
Jeg virus-scanner ofte (Norman) og updaterer dagligt, men norman finder ikke noget i denne fil.

I min firewall-log kan jeg se at filen initierer trafik (tcp) til ip-adressen 1.3.3.7
(I samme log er der en anden fil der opfører sig på lignende vis: c:\winnt\system32\peera32.exe)

Norman firewall blokerer nu for trafikken, men jeg vil jo gerne have fjernet skidtet.

Jeg har forsøgt at søge på google efter winx16.exe, men får kun 4 hit (heraf et på kinesisk .... og linkenen virker ikke - men af teksten fremgår det ...

<BKDR_AGOBOT.LS - Technical details
<Upon execution, this memory-resident backdoor
<drops a copy of itself as WINX16.EXE in the Windows system folder. ...
<BKDR_AGOBOT.LS - Description and solution
<... In the right panel, locate and delete the entry: WINX16 "winx16.exe"; In the left
<panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft ...
linket er til en side på www.trendmicro.com som jeg ikke kan åbne

Jeg kan i Windows joblisten se, at både winx16.exe og peera32.exe ligger som kørende processer.

mvh
Henrik

---

Hent en hijackthis : http://www.arlet.dk/hjt.htm

Så skal jeg nok få dig ren

---

Linket henviser til en side hos trendmicro der indenholder følgende link http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp og viser desuden en liste over hvilket programmer den "slår ned" bl.a. NORMIST.EXE og opfører sig som du beskriver, måske der står noget under det link..

---

Arlet - her er logfilen fra hijackthis:
NB: Den siger jeg kører ie v5.00 - men jeg kører altså ie 6.00 SP1 - med alle security patches fra windows update

Logfile of HijackThis v1.97.7
Scan saved at 22:40:40, on 2004-04-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Nvc\Bin\Zanda.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winx16.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\peera32.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\workpad\AlarmApp.exe
C:\Program Files\workpad\HOTSYNC.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\dkr00153\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SearchAt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [datesetting] regedit /s c:\winnt\vendordrivers\compaq\datesetting\datesetting.reg
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Randex virus built for IRBMe] irbme.exe
O4 - HKLM\..\Run: [MSIE Parsers] MSIE32ab.exe
O4 - HKLM\..\Run: [Ass and titties] cmd32.exe
O4 - HKLM\..\Run: [Windows driver update] C:\WINNT\system32\dmsvc32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WINX16] winx16.exe
O4 - HKLM\..\Run: [ixplores] ixplores.exe
O4 - HKLM\..\Run: [explor] explor.exe
O4 - HKLM\..\Run: [System32-Driver] csrs32.exe
O4 - HKLM\..\Run: [NVidia Drivers] C:\WINNT\SYSTEM32\jrynfx.exe
O4 - HKLM\..\Run: [MyICQN] mrvdwwx.exe
O4 - HKLM\..\Run: [Peer Manager] peera32.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Symantec Security] symantec32.exe
O4 - HKLM\..\RunServices: [Randex virus built for IRBMe] irbme.exe
O4 - HKLM\..\RunServices: [MSIE Parsers] MSIE32ab.exe
O4 - HKLM\..\RunServices: [Ass and titties] cmd32.exe
O4 - HKLM\..\RunServices: [WINX16] winx16.exe
O4 - HKLM\..\RunServices: [ixplores] ixplores.exe
O4 - HKLM\..\RunServices: [explor] explor.exe
O4 - HKLM\..\RunServices: [System32-Driver] csrs32.exe
O4 - HKLM\..\RunServices: [Peer Manager] peera32.exe
O4 - HKLM\..\RunServices: [Symantec Security] symantec32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\dmsvc32.exe
O4 - HKCU\..\Run: [ixplores] ixplores.exe
O4 - HKCU\..\Run: [explor] explor.exe
O4 - HKCU\..\Run: [Peer Manager] peera32.exe
O4 - HKCU\..\Run: [Symantec Security] symantec32.exe
O4 - Startup: Alarm Manager.LNK = C:\Program Files\workpad\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\workpad\HOTSYNC.EXE
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/filesharingctrl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/30c41f931a23244ee817/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5F49A4F0-8208-4715-9F14-EA17689E58F5} (MathObj Class) - https://skinfakse.certifikat.dk/csp/authenticode/PrimeInkCSPInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://lb.bilia.se/carquestdk/Labb/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37784.4977662037
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/racing/rcriot2/zone/wtinst.cab

---

Det var noget af en bandit*S*

Hent og kør CWSHredder herfra: http://www.arlet.dk/special.htm
genstart og ny hijackthis log

---

Du behøver ikke en ny log, bare følg vejledningen nedeunder:

Agobot virus -> Jo, en hel masse*S*


Flyt først filen Hijackthis til en mappe oprettet kun til den.

Du skal nu til at i gang med at fixe:

Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked, luk hijackthis igen.
Dobbelttjek, så alt kommer med.



R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SearchAt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Randex virus built for IRBMe] irbme.exe
O4 - HKLM\..\Run: [MSIE Parsers] MSIE32ab.exe
O4 - HKLM\..\Run: [Ass and titties] cmd32.exe
O4 - HKLM\..\Run: [Windows driver update] C:\WINNT\system32\dmsvc32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WINX16] winx16.exe
O4 - HKLM\..\Run: [ixplores] ixplores.exe
O4 - HKLM\..\Run: [explor] explor.exe
O4 - HKLM\..\Run: [System32-Driver] csrs32.exe
O4 - HKLM\..\Run: [NVidia Drivers] C:\WINNT\SYSTEM32\jrynfx.exe
O4 - HKLM\..\Run: [MyICQN] mrvdwwx.exe
O4 - HKLM\..\Run: [Peer Manager] peera32.exe
O4 - HKLM\..\Run: [Symantec Security] symantec32.exe
O4 - HKLM\..\RunServices: [Randex virus built for IRBMe] irbme.exe
O4 - HKLM\..\RunServices: [MSIE Parsers] MSIE32ab.exe
O4 - HKLM\..\RunServices: [Ass and titties] cmd32.exe
O4 - HKLM\..\RunServices: [WINX16] winx16.exe
O4 - HKLM\..\RunServices: [ixplores] ixplores.exe
O4 - HKLM\..\RunServices: [explor] explor.exe
O4 - HKLM\..\RunServices: [System32-Driver] csrs32.exe
O4 - HKLM\..\RunServices: [Peer Manager] peera32.exe
O4 - HKLM\..\RunServices: [Symantec Security] symantec32.exe
O4 - HKCU\..\Run: [Windows driver update] C:\WINNT\system32\dmsvc32.exe
O4 - HKCU\..\Run: [ixplores] ixplores.exe
O4 - HKCU\..\Run: [explor] explor.exe
O4 - HKCU\..\Run: [Peer Manager] peera32.exe
O4 - HKCU\..\Run: [Symantec Security] symantec32.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSe tup1.0.0.6.cab
O16 - DPF: {53B3ABEA-4445-44D9-A01E-088144CAABD9} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/da/f ilesharingctrl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/30c41f931a23244ee817/netzip/RdxIE2.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312



Find og slet i fejlsikret(f8 ved opstart):


C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winx16.exe
C:\WINNT\system32\peera32.exe


Derefter genstarter du og sender en ny log herind, for at se om vi har fået den helt ren.

---

Jeg skal altså IKKE køre CSWHredder først?

---

Hej Arlet,
Så har jeg kørt proceduren igennem - dog har jeg ikke markeret de 2 linier med SnagIt:
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll

SnagIt er en application der - trods at navnet kan virke mistænkeligt - er helt OK - jeg bruger den til at markere udvalgte afsnit af skærmen og indsætte i f.eks. dokumentation.

Her er HijackThis loggen:

Logfile of HijackThis v1.97.7
Scan saved at 23:53:30, on 2004-04-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Program Files\Norman\Nvc\Bin\Zanda.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\workpad\AlarmApp.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\workpad\HOTSYNC.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Documents and Settings\dkr00153\My Documents\hijackthis\hjt.exe

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [datesetting] regedit /s c:\winnt\vendordrivers\compaq\datesetting\datesetting.reg
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Alarm Manager.LNK = C:\Program Files\workpad\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\workpad\HOTSYNC.EXE
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5F49A4F0-8208-4715-9F14-EA17689E58F5} (MathObj Class) - https://skinfakse.certifikat.dk/csp/authenticode/PrimeInkCSPInstall.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://lb.bilia.se/carquestdk/Labb/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37784.4977662037
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/racing/rcriot2/zone/wtinst.cab

---

Ja, det er godt du er vågen, når jeg ikke er det. Kender godt snagIt


Så er du ren

For at beskytte dig mod snavs har jeg lavet en sikkerhedspakke,
som du kan hente her : www.arlet.dk/pakke.htm

---

Hej Arlet,
Tusind tak for hjælpen! Det er jo rart at man kan få hjælp her på KanDu, når nu leverandøren af ens antivirus program ikke har en virus listet (jeg ledet forgæves på norman efter Agobot).
mvh
Henrik

---

Tak for svaret arlet.
                        

---

Velbekommen.

Agabot er en orm og den kan ikke findes af nogle antivirusprogrammer. Nogle gange er der nogle av programmer, der finder agabot(og blaster, som også er en orm) men det er sjældent.

men med hijackthis, finder vi den ALTID

Arlet - Agabot/blaster
255 - 0

hehe

Eftersom du ikke er logget ind i systemet, kan du ikke skrive et indlæg til dette spørgsmål.

Hvis du ikke allerede er registreret, kan du gratis blive medlem, ved at trykke på "Bliv medlem" ude i menuen.